User role customization in scvmm self service portal

One of my colleague brought a question for me which was interesting to consider and do some solution lookup. His requirement is to assign virtual pc’s to selected users and and only allow them to see the necessary virtual pc’s assigned to them. Of course this seems to be an easy task under the SCVMM but things didn’t went as smooth as I try to explain him when it comes to practical world 🙂

Below is the steps we carried out first,

1. Assign a user account certain rights under the SCVMM – Under this I have taken one domain user account and then assign the particular user with the relevant permissions.

Select the actions user can carry out in the VPC. In this scenario I have kept him all the action which is possible under SCVMM console.

2. In order to make this VPC visible in his Self User Portal I had to give ownership of this VPC to relevant user,

Once that part is completed, our selected user can see the relevant VPC under his SCVMM.

All are fine when we ran into next issue. What is this user is absent and we need to do some maintenance or overlook this VPC for a troubleshooting purpose? VPC ownership can be given for only one user at a time so another use won’t see this VPC under his Self Service Portal. Finally we managed to solve the problem by assigning the ownership of the VPC’s to a GROUP instead of user accounts. Funny this remind me the fundamentals of the Windows ACL. (Accounts into Groups and then provide Permission to that)

Same theory we managed to apply over here as follows,

First create a relevant service level groups in the Active Directory database, and then add the relevant user.

Move to SCVMM server and under the Administration section add the Group and provide the same permission provided as above for a single user,

next under the Virtual Machines section select each VPC and select the group we created as the owner.

Once that completed and log in using one of the user account in that group we’ll be able to see the virtual Pc’s assigned to particular Group,

In a scenario when the relevant users does not exist Administrator still have the privilege of logging in and do the necessary modifications to VPC’s. Even though it would be ideal if we can have the option of assigning permission for each VPC and still allow other users to access the same VPC though User Portal.